2. CLOUDFLARE 


Third Party 
of Conduct 


Human Rights 


We believe a better Internet is built on human rights, and that human 
rights should inform how we do a wala! is committed to 
bine human i under the L d Ni l 
on Bus and Human Rights (UNG: The n of international 
cane rights is that they eh equally to all people, everywhere. 


Third Parties are required to respect human rights by avoiding causing 
human rights harms, and by mitigating and remediating any harms 
that do occur. Cloudflare strongly encourages all Third Parties to 
publicly commit to the UNGPs, and to periodically report on their 
implementation. 


For more iahocianlen on Cloudflare’s commitment to human rights, see 
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Labor 


Freedom of Association and Collective 
Bargaining 


Cloudflare is committed to the ILO Declaration 

on Fundamental Principles and Rights at Work. 
Third Parties should respect and protect the rights 
of workers to seek representation, associate 
freely, and join or not join collective bargaining 
organizations (such as labor unions and workers’ 
councils) in accordance with local laws as well as 
international human rights. 


Occupational Health and Safety 


Third Parties should have procedures in place 

to minimize potential safety hazards, including 

but not limited to protections from chemical, 
biological, or physical agents. Personal protective 
equipment should be provided when appropriate. 
Workers should not be disciplined for raising safety 
concerns. Third Parties should comply with all 
applicable quality, health, safety, and environmental 
regulations. All required permits, licenses and 
registrations should be obtained, maintained and 
kept up-to-date. Third Parties should fulfill their 
operational and reporting requirements. 


Procedures and systems to prevent, manage, 

track, and report occupational injury and illness, as 
required by law or Cloudflare, should be in place. 
Third Parties should report all incidents at work and 
provide access to necessary medical treatment to 
employees. 


Child Labor 


Third Parties are required to prohibit child labor 
consistent with the ILO Declaration on Fundamental 


Principles and Rights at Work in their operations 
and among their Third Parties. Third Parties are 


strongly encouraged to participate in industry 
efforts aimed at the elimination of child labor 
generally. 


Forced Labor and Human Trafficking 


Third Parties are required to prohibit forced 

or compulsory labor consistent with the ILO_ 
Declaration on Fundamental Principles and Rights 
at Work. Third Parties are strongly encouraged 

to participate in industry efforts aimed at the 
elimination of forced labor and human trafficking. 


For more information on Cloudflare’s commitment 
to prohibition of forced labor and human trafficking, 


see our Modern Slavery Act Statement. 
Discrimination and Harassment 


We believe all employees have a right to work 
in an enviroment free from discrimination and 
harassment as specified by with The Ten Principles 


of the UN Global Compact. Third Parties are 
required to have clear anti-harassment and 


discrimination policies in place which are respected 
and enforced appropriately. All personnel are 
expected to be treated with dignity and respect. 


Diversity, Equity, and Inclusivity 


Third Parties are required to adopt policies and 
procedures that facilitate diverse, equitable, 
and inclusive work environments for all. Third 
Parties are strongly encouraged to report public 
accounting of these initiatives. 


For more information on Cloudflare’s diversity, 
equity, and inclusivity efforts, see Cloudflare’s 
Diversity webpage. 
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Governance 


Anti-Bribery and Anti-Corruption 


Third Parties may not offer, give, promise, or 
authorize any bribe, gift, loan, fee, reward, or other 
advantage to a government official, employee, 
partner, customer, or any other person to improperly 
influence any action or decision. Further, Third 
Parties must comply with all relevant anti-corruption 
laws, including the U.S. Foreign Corrupt Practices 
Act (FCPA) and the U.K. Bribery Act. 


Trade Compliance 


Cloudflare is committed to conducting our business 
activities in full compliance with the applicable 
import and export laws and regulations of the 
United States, all countries in which Third Parties 
are operating, and any other applicable laws. Third 
Parties must ensure that products, services and 
shipments adhere to all applicable international 
trade compliance laws, rules and regulations. Third 
Parties are expected to incorporate international 
Supply Chain Security (SCS) measures into their 
business processes as described by the World 


Customs Organization’s SAFE Framework or similar 
SCS guidelines. 


Cloudflare does not work with Third Parties subject 
to sanctions laws including but not limited to US, 
EU, and UK sanctions. Our Third Parties warrant 
that they are not owned (directly or indirectly) or 
controlled by a person or entity subject to sanctions 
laws. 


Anti-Competitive Behavior 


Third Parties may not take any action in combination 
with other companies that may restrain competition, 
particularly in market segments in which a company 
or companies has a particularly strong position. 
Further, Third Parties should comply with laws 
governing fair competition in all activities, and 
promote compliance throughout its supply chain. 


Conflicts of Interest 


Third Parties must be free to act with total 
objectivity in their business dealings with Cloudflare, 
and thus must avoid conflicts of interest. If a 


potential or actual conflict of interest arises 

that interferes with a Third Party’s ability to act 
objectively on behalf of Cloudflare, the Third Party 
must report all relevant details to Cloudflare. 


Data Privacy 


Third Parties are required to comply with applicable 
data protection laws. Third parties will ensure that 
all such safeguards — including the manner in 
which Cloudflare personal data is processed, used, 
disposed of and disclosed — comply with applicable 
law, including without limitation all data protection 
laws. Third Parties will not use any personal 

data processed for secondary purposes beyond 

the services for which Third Parties have been 
contracted. 


Data Security 


Third Parties are expected to implement 
administrative, physical, and technical safeguards 
consistent with information security best practices 
and industry standards. Third Parties accessing 
Cloudflare systems must follow Cloudflare security 
policies and use resources provided by Cloudflare 
(e.g., laptop, security key, email address). Third 
Parties are required to complete successful 
background checks on their employees. 


Government Contracting 


Cloudflare is a government contractor. As such, 

we comply with all applicable laws and regulations, 
including Federal Acquisition Regulations (FARs). 
Some of these obligations will flow down and apply 
to our Third Parties. 


Under Section 889 of the National Defense 
Authorization Act (NDAA), Cloudflare does not 
use, or otherwise permit in its supply chain, 
telecommunications equipment, video surveillance 
products, or services produced or provided by 
Huawei Technologies Company, ZTE Corporation, 
Hytera Communications Corporation, Hangzhou 
Hikvision Digital Technology Company, or Dahua 
Technology Company (or any subsidiary or affiliate 
of those entities). 
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Environmental Sustainability 


Greenhouse Gas Emissions 


Cloudflare is a signatory of the UN Global Compact, and is committed to developing 
environmentally friendly technologies. Third Parties are required to identify, manage, and 
report Greenhouse Gas (GHG) emissions as specified by the GHG Protocol or other well- 
established reporting methodologies — or to commit to working toward those objectives. 
Third Parties are strongly encouraged to set goals to reduce their overall GHG emissions 
footprint; support renewable energy; and offset, remove, or mitigate any residual 
emissions. 


Responsible Sourcing of Materials 


Third Parties are required to commit to responsible sourcing of materials and to exercise 
due diligence when obtaining materials likely to originate in areas at high risk for human 
rights violations, environmental degradation, child or compulsory labor, or any other issue 
covered under this Code. 


Compliance 


Third Parties are required to notify Cloudflare promptly of any violation of the Code. Cloudflare 
reserves the right to conduct a reasonable audit or inspection of any Third Party’s facilities 

or operations regarding any Third Party claim associated with this Code, or resulting from 
credible evidence of non-compliance. 


Reports of non-compliance can be made via Cloudflare’s Helpline online or by phone 
(international calling numbers provided on the website), which allows for anonymous reporting 
in certain jurisdictions as permitted by local law. Cloudflare will do its best to keep all 

reports as confidential as possible in a manner consistent with conducting a fair and proper 
investigation, and in compliance with applicable law. All good-faith reports are protected by 
our Policy Against Retaliation. 


Third Parties must immediately report any actual or suspected security incident to Cloudflare’s 
SIRT Team via email. 


Any Third Party found in violation of the Code, that upon reasonable notice fails to take 
corrective action, may jeopardize that Third Party’s business relationship with Cloudflare, up to 
and including termination. 


